Rebound Attack Florian Mendel Institute for Applied Information - - PowerPoint PPT Presentation

rebound attack
SMART_READER_LITE
LIVE PREVIEW

Rebound Attack Florian Mendel Institute for Applied Information - - PowerPoint PPT Presentation

Dec 09, 2022 206 likes •562 views

Rebound Attack Florian Mendel Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria http://www.iaik.tugraz.at/ Outline Motivation 1 2 Whirlpool Hash

slide-1
SLIDE 1

Rebound Attack

Florian Mendel

Institute for Applied Information Processing and Communications (IAIK) Graz University of Technology Inffeldgasse 16a, A-8010 Graz, Austria

http://www.iaik.tugraz.at/

slide-2
SLIDE 2

Outline

1

Motivation

2

Whirlpool Hash Function

3

Application of the Rebound Attack

4

Summary

slide-3
SLIDE 3

The Rebound Attack [MRST09]

Tool in the differential cryptanalysis of hash functions Invented during the design of Grøstl

AES-based designs allow a simple application of the idea

Has been applied to a wide range of hash functions

Echo, Grøstl, JH, Lane, Luffa, Maelstrom, Skein, Twister, Whirlpool, . . .

slide-4
SLIDE 4

The Rebound Attack

Ebw Ein Efw

inbound

  • utbound
  • utbound

Applies to block cipher and permutation based designs: E = Efw ◦ Ein ◦ Ebw P = Pfw ◦ Pin ◦ Pbw

slide-5
SLIDE 5

The Rebound Attack

Ebw Ein Efw

inbound

  • utbound
  • utbound

Inbound phase

efficient meet-in-the-middle phase in Ein using available degrees of freedom

Outbound phase

probabilistic part in Ebw and Efw repeat inbound phase if needed

slide-6
SLIDE 6

The Whirlpool Hash Function

IV f M1 f M2 f M3 f Mt H(m)

designed by Barretto and Rijmen in 2000 [BR00]

evaluated by NESSIE standardized by ISO/IEC 10118-3:2003

iterative, based on the Merkle-Damg˚ ard design principle message block, chaining values, hash size: 512 bit

slide-7
SLIDE 7

The Whirlpool Compression Function

Mj Hj−1 Hj

state update SB SC MR AK key schedule SB SC MR AC

512-bit hash value and using 512-bit message blocks Block-cipher based design (similar to AES)

Miyaguchi-Preneel mode with conservative key schedule

slide-8
SLIDE 8

The Whirlpool Round Transformations

SubBytes ShiftColumns MixRows AddRoundKey Ki

S(x)

+

The state update and the key schedule update an 8 × 8 state S and K of 64 bytes 10 rounds each AES like round transformation ri = AK ◦ MR ◦ SC ◦ SB

slide-9
SLIDE 9

Notations

Round i

Si−1 SSB

i

SSC

i

SMR

i

Si

SB SC MR AK

Ki−1 K SB

i

K SC

i

K MR

i

Ki

SB SC MR AC

Ci

slide-10
SLIDE 10

Collision Attack on Whirlpool

Hj−1 Hj

state update SB SC MR AK key schedule SB SC MR AC

Mj ∆Mj

1-block collision:

fixed Hj−1 (to IV) f(Mj, Hj−1) = f(M∗

j , Hj−1), Mj = M∗ j

generic complexity 2256 (n = 512)

slide-11
SLIDE 11

Collision Attack on 4 Rounds

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AC SB SC MR AC SB SC MR AC SB SC MR AC

S0 S1 S2 S3 S4 K0 K1 K2 K3 K4 M1 IV H1

constant Differential trail with minimum number of active S-boxes

81 for any 4-round trail (1 → 8 → 64 → 8) maximum differential probability: (2−5)81 = 2−405

How to find a message pair following the differential trail?

slide-12
SLIDE 12

First: Use Truncated Differences

S0 S1 S2 S3 S4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

M1 H1

byte-wise truncated differences: active / not active

we do not mind about actual differences single active byte at input and output is enough probabilistic in MixRows: 2−56 for 8 → 1

we can remove many restrictions (more freedom)

hopefully less complexity of message search

slide-13
SLIDE 13

How to Find a Message Pair?

S0 S1 S2 S3 S4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

M1 H1

message modification? inside out? meet in the middle? rebound!

slide-14
SLIDE 14

Rebound Attack on 4 Rounds [MRST09]

S0 S1 S2 S3 S4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

M1 H1

  • utbound phase

inbound phase

  • utbound phase

Inbound phase

(1) start with differences in round 2 and 3 (2) match-in-the-middle at S-box using values of the state

Outbound phase

(3) probabilistic propagation in MixRows in round 1 and 4 (4) match one-byte difference of feed-forward

slide-15
SLIDE 15

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee ee ee 9f ee 23 71 c1 cd ?

SSC

2

S2 SSB

3

SMR

3

MR AK SB SC MR

differences differences match differences get values get values

(1) Start with arbitrary differences in state SMR

3

linearly propagate all differences backward to SSB

3

linearly propagate row-wise forward from SSC

2

to S2

(2) Match-in-the-middle at SubBytes layer

check if differences can be connected (for each S-box) with probability 2−xx we get 2xx solutions for each row

slide-16
SLIDE 16

Match-in-the-Middle for Single S-box

Sbox ∆a ∆b Check for matching input/output differences Using Difference Distribution Table (DDT) Sbox(x) ⊕ Sbox(x ⊕ ∆a) = ∆b

slide-17
SLIDE 17

Difference Distribution Table (Whirlpool)

in \ out 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 00 01 6 2 6 2 4 02 2 4 03 2 2 2 2 2 2 04 2 2 4 2 2 2 2 2 05 2 2 4 2 06 . 4 2 2 2 6 2 4 2 2 . 07 . 2 2 2 4 2 2 2 . 08 . 2 2 2 2 2 4 4 . 09 8 2 4 2 2 2 2 0a 2 2 2 2 0b 8 2 2 2 2 2 2 2 2 2 4 0c 2 2 4 2 2 2 4 2 0d 2 2 2 4 4 2 2 2 0e 4 4 2 2 2 4 2 0f 2 2 2 2 2 . . .

Differences can be connected if there is a non-zero entry in the table

slide-18
SLIDE 18

Match-in-the-Middle for Single S-box

Sbox ∆a ∆b Check for matching input/output differences Using Difference Distribution Table (DDT) Sbox(x) ⊕ Sbox(x ⊕ ∆a) = ∆b Solve equation for all x and count the number of solutions

slide-19
SLIDE 19

Difference Distribution Table (Whirlpool)

The number of differentials and possible pairs for the Sbox solutions frequency 39655 2 20018 4 5043 6 740 8 79 256 1 25880/65025 entries (with ∆a, ∆b = 0) in DDT are nonzero we get either 2, 4, 6 or 8 values for each match

25880 65025 · 65280 25880 = 1.004 values (right pairs) on average

slide-20
SLIDE 20

Match-in-the-Middle for Single S-box

Sbox ∆a ∆b Check for matching input/output differences Using Difference Distribution Table (DDT) Sbox(x) ⊕ Sbox(x ⊕ ∆a) = ∆b Solve equation for all x and count the number of solutions.

∼ 1 values (right pairs) on average

slide-21
SLIDE 21

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee ee ee 9f ee 23 71 c1 cd ?

SSC

2

S2 SSB

3

SMR

3

MR AK SB SC MR

differences differences match differences get values get values

(1) Start with arbitrary differences in state SMR

3

linearly propagate all differences backward to SSB

3

linearly propagate row-wise forward from SSC

2

to S2

(2) Match-in-the-middle at SubBytes layer

check if differences can be connected (for each S-box) we need to solve each row at once: complexity ∼ 210.6 (average 1)

slide-22
SLIDE 22

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee ee ee 9f ee 23 71 c1 cd

SSC

2

S2 SSB

3

SMR

3

MR AK SB SC MR

differences differences match differences get values get values

(1) Start with arbitrary differences in state SMR

3

linearly propagate all differences backward to SSB

3

linearly propagate row-wise forward from SSC

2

to S2

(2) Match-in-the-middle at SubBytes layer

check if differences can be connected (for each S-box) we need to solve each row at once: complexity ∼ 210.6 (average 1)

slide-23
SLIDE 23

Outbound Phase

S0 S1 S2 S3 S4

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

  • utbound

2−56 inbound average 1

  • utbound

2−56

(3) Propagate through MixRows of round 1 and round 4

using truncated differences (active bytes: 8 → 1) probability: 2−56 in each direction

(4) Match difference in one active byte of feed-forward (2−8) ⇒ collision for 4 rounds of Whirlpool with complexity 2120

slide-24
SLIDE 24

Extending the Attack to 5 Rounds [LMR+09]

S0 S1 S2 S3 S4 S5

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK

  • utbound

2−56 inbound average 1

  • utbound

2−56

By adding one round in the inbound phase of the attack we can extend the attack to 5 rounds The outbound phase is identical to the attack on 4 rounds

probability: 2−120

⇒ Construct 2120 starting points in the inbound phase with average complexity 1 (but increased memory of 264)

slide-25
SLIDE 25

Inbound Phase

3a c0 e6 b9 5a 8c 08 c0 e8 85 0d a2 b1 f8 16 4d f4 50 cc b1 60 ed 27 34 90 cc 01 63 20 85 51 96 d4 6d 0a 11 f4 b7 43 90 75 9a 70 96 1e 43 15 f1 1b 49 43 1e cd 5a de f8 5e 43 e9 4d bf d5 2b 07 cd c5 27 04 10 fc f8 5e ee ee ee 9f ee 23 71 c1 cd match

SSC

2

S2 SSB

3

SMR

3

MR AK SC SB MR AK SB SC MR

differences 264 differences 264 differences differences match differences 264 values/differences

(1) Start with arbitrary differences in state SMR

3

and SSB

3

we need to propagate all 264 differences backward at once

(2) Match-in-the-middle at SuperBox (SB − MR − AK − SB)

similar to 64-bit S-box (DDT has size 2128) time-memory trade-off with T · M = 2128

⇒ with complexity 264 we get ∼ 264 right pairs

slide-26
SLIDE 26

From Collisions to Near-Collisions

S0 S1 S2 S3 S4 S5 S6 S7

AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB AC SB SH MB

1 2−56 average 1 2−56 1

Add one round at input and output

no additional complexity MixRows: 1 → 8 with probability 1

⇒ Near-collision attack for 7 rounds

time complexity 2112 and 264 memory

slide-27
SLIDE 27

Compression Function Attacks

Hj−1 Hj

state update SB SC MR AK key schedule SB SC MR AC

∆Mj

We can freely choose the chaining input Hj−1

no differences in Hj−1 semi-free-start (near-) collisions

Extend previous attacks by 2 rounds

using multiple inbound phases

Outbound phases of attacks stay the same

slide-28
SLIDE 28

Inbound Phase

S0 S1 S2 S3 S4 S5

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK 1st inbound phase connect 2nd inbound phase

Basic Idea: use two independent inbound phases connect them using 512-bit freedom of key input (S3 = SMR

2

⊕ K3)

slide-29
SLIDE 29

Inbound Phase

S0 S1 S2 S3 S4 S5

SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK SB SC MR AK 1st inbound phase connect 2nd inbound phase

In practice: Slightly more tricky than that (3 key inputs involved) connect rows independently find 264 solutions with complexity 2128 ⇒ Collision on 7 and near-collision on 9 rounds (compression function distinguisher for full 10 rounds)

slide-30
SLIDE 30

Summary of Results on Whirlpool

target rounds computational memory type complexity requirements hash 5.5 2184−s 2s collision function 7.5 2176−s 2s near-collision compression 7.5 2184 264 collision function 9.5 2176 264 near-collision 10 2188 264 distinguisher

slide-31
SLIDE 31

Summary

Basic principle not that difficult

efficient inbound phase (average 1) probabilistic outbound phase (determined by linear layer)

Difficulty in constructing and merging inbound phases

finding good and sparse truncated differential paths efficient way to use available freedom for merge

⇒ powerful tool in the cryptanalysis of hash functions

slide-32
SLIDE 32

Thank you for your attention!

http://eprint.iacr.org/2010/198

slide-33
SLIDE 33

References I

Paulo S. L. M. Barreto and Vincent Rijmen. The WHIRLPOOL Hashing Function. Submitted to NESSIE, September 2000, revised May 2003, 2000. Available online: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html. Henri Gilbert and Thomas Peyrin. Super-Sbox Cryptanalysis: Improved Attacks for AES-Like Permutations. In Seokhie Hong and Tetsu Iwata, editors, FSE, volume 6147 of LNCS, pages 365–383. Springer, 2010. J´ er´ emy Jean, Mar´ ıa Naya-Plasencia, and Thomas Peyrin. Improved Rebound Attack on the Finalist Grøstl. In Anne Canteaut, editor, FSE, volume 7549 of LNCS, pages 110–126. Springer, 2012. J´ er´ emy Jean, Mar´ ıa Naya-Plasencia, and Martin Schl¨ affer. Improved Analysis of ECHO-256. In Ali Miri and Serge Vaudenay, editors, Selected Areas in Cryptography, volume 7118 of LNCS, pages 19–36. Springer, 2011. Stefan K¨

  • lbl and Florian Mendel.

Practical Attacks on the Maelstrom-0 Compression Function. In Javier Lopez and Gene Tsudik, editors, ACNS, volume 6715 of LNCS, pages 449–461, 2011. Dmitry Khovratovich, Mar´ ıa Naya-Plasencia, Andrea R¨

  • ck, and Martin Schl¨

affer. Cryptanalysis of Luffa v2 Components. In Alex Biryukov, Guang Gong, and Douglas R. Stinson, editors, Selected Areas in Cryptography, volume 6544 of LNCS, pages 388–409. Springer, 2010.

slide-34
SLIDE 34

References II

Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen, and Martin Schl¨ affer. Rebound Distinguishers: Results on the Full Whirlpool Compression Function. In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of LNCS, pages 126–143. Springer, 2009. Mario Lamberger, Florian Mendel, Christian Rechberger, Vincent Rijmen, and Martin Schl¨ affer. The Rebound Attack and Subspace Distinguishers: Application to Whirlpool. Cryptology ePrint Archive, Report 2010/198, 2010. Krystian Matusiewicz, Mar´ ıa Naya-Plasencia, Ivica Nikoli´ c, Yu Sasaki, and Martin Schl¨ affer. Rebound Attack on the Full Lane Compression Function. In Mitsuru Matsui, editor, ASIACRYPT, volume 5912 of LNCS, pages 106–125. Springer, 2009. Marine Minier, Mar´ ıa Naya-Plasencia, and Thomas Peyrin. Analysis of Reduced-SHAvite-3-256 v2. In Antoine Joux, editor, FSE, volume 6733 of LNCS, pages 68–87. Springer, 2011. Florian Mendel, Thomas Peyrin, Christian Rechberger, and Martin Schl¨ affer. Improved Cryptanalysis of the Reduced Grøstl Compression Function, ECHO Permutation and AES Block Cipher. In Michael J. Jacobson Jr., Vincent Rijmen, and Reihaneh Safavi-Naini, editors, Selected Areas in Cryptography, volume 5867 of LNCS, pages 16–35. Springer, 2009. Florian Mendel, Christian Rechberger, and Martin Schl¨ affer. Cryptanalysis of Twister. In Michel Abdalla, David Pointcheval, Pierre-Alain Fouque, and Damien Vergnaud, editors, ACNS, volume 5536 of LNCS, pages 342–353, 2009.

slide-35
SLIDE 35

References III

Florian Mendel, Christian Rechberger, Martin Schl¨ affer, and Søren S. Thomsen. The Rebound Attack: Cryptanalysis of Reduced Whirlpool and Grøstl. In Orr Dunkelman, editor, FSE, volume 5665 of LNCS, pages 260–276. Springer, 2009. Florian Mendel, Christian Rechberger, Martin Schl¨ affer, and Søren S. Thomsen. Rebound Attacks on the Reduced Grøstl Hash Function. In Josef Pieprzyk, editor, CT-RSA, volume 5985 of LNCS, pages 350–365. Springer, 2010. Mar´ ıa Naya-Plasencia. How to Improve Rebound Attacks. In Phillip Rogaway, editor, CRYPTO, volume 6841 of LNCS, pages 188–205. Springer, 2011. Mar´ ıa Naya-Plasencia, Deniz Toz, and Kerem Varici. Rebound Attack on JH42. In Dong Hoon Lee and Xiaoyun Wang, editors, ASIACRYPT, volume 7073 of LNCS, pages 252–269. Springer, 2011. Thomas Peyrin. Improved Differential Attacks for ECHO and Grøstl. In Tal Rabin, editor, CRYPTO, volume 6223 of LNCS, pages 370–392. Springer, 2010. Yu Sasaki, Yang Li, Lei Wang, Kazuo Sakiyama, and Kazuo Ohta. Non-full-active Super-Sbox Analysis: Applications to ECHO and Grøstl. In Masayuki Abe, editor, ASIACRYPT, volume 6477 of LNCS, pages 38–55. Springer, 2010. Yu Sasaki, Lei Wang, Shuang Wu, and Wenling Wu. Investigating Fundamental Security Requirements on Whirlpool: Improved Preimage and Collision Attacks. In Xiaoyun Wang and Kazue Sako, editors, ASIACRYPT, volume 7658 of LNCS, pages 562–579. Springer, 2012.